Related threats

We’ve seen NetSupport Manager leveraged as both a primary payload in its own right, as well as a follow-on payload delivered by other threats and techniques in our top 10. In 2025, Scarlet Goldfinch—the sixth most prevalent threat we detected—used NetSupport Manager as a primary or follow-on payload. In previous years, we’ve seen NetSupport Manager delivered alongside other threats as well, like FakeSG, SocGholish, Qbot, and via MSIX campaigns.

Far and away the most common delivery vehicle for NetSupport Manager in 2025 was T1204.004: Malicious Copy and Paste, our eighth most prevalent technique this year. Not only was NetSupport Manager the primary payload for a number of independent paste-and-run campaigns, Scarlet Goldfinch also used the technique to deliver NetSupport Manager. Historically, adversaries have delivered NetSupport Manager as a part of many campaigns, so initial delivery methods can vary widely. Malicious NetSupport Manager can be the result of phishing campaigns, fake updates, fake CAPTCHA lures, and more.

Breaking down the parts

NetSupport Manager has several components:

• NetSupport Manager Client is the component that is installed on systems the adversary wants to control. When we refer to NetSupport Manager, this is typically the component we are referring to.
• NetSupport Manager Control is the component used on the controlling workstation. This component allows adversaries to upload and execute files.
• NetSupport Manager Deploy is a component on the controlling workstation that creates some software packaging for deployment, though it does not play an active role after the client is installed.

Legitimate NetSupport installs are often found in the Program Files directory, using the standard filename client32.exe. Suspect instances may be found by looking for client32.exe running from a non-standard directory, such as a user’s Downloads or Roaming folder.

It’s not unusual for adversaries to rename the NetSupport Manager Client file, so looking for binaries with the internal name client32 making network connections to netsupportsoftware[.]com is another good indicator of suspicious NetSupport Manager use.

Having the ability to collect and inspect binary signature metadata and binary naming conventions, as well as understanding common and uncommon installation paths for RMM tools like NetSupport Manager are the basic prerequisites for developing an effective detection strategy. Of course, the sheer volume of RMM tools available to adversaries, let alone abused by them, renders confident detection coverage a tall order.

The best generic advice for mitigating the risk posed by NetSupport Manager is to create robust allow/blocklist policies and strictly adhere to them.

Detection opportunity: NetSupport running from an unexpected directory

Under normal circumstances, you should expect NetSupport Manager to run from the programfiles directory. If you find NetSupport Manager—often identifiable as client32.exe—running outside the programfiles directory, particularly from the programdata directory, then it’s worth investigating. In instances where an adversary like FIN7 delivered NetSupport Manager as a follow-on payload, it is frequently observed running from a suspicious location like programdata or a user’s directory.

Surveyor

You can search your environment for the presence of unsanctioned RMM tools, including NetSupport Manager, using our open source baselining tool Surveyor.